[1.x] A challenge is returned when there is no device registered

[asivaneswaran]

PHP & Platform

8.2.1 & MacOs

Database

No response

Laravel version

10

Have you done this?

• [X] I have checked my logs and I'm sure is a bug in this package.
• [X] I can reproduce this bug in isolation (vanilla Laravel install)
• [ ] I can suggest a workaround as a Pull Request

Expectation

My understanding is that if there is no associated credential to the user, the challenge should be empty.

Description

I created a new user and on the first login, I want the user to login via the password as no passkey as been saved to the device yet. But, when I hit the /login/options route, I get a challenge instead of the null value.

Reproduction

1- Create a new user
2- Send the email as the credential to the `/login/options` route

Stack trace & logs

No response

[DarkGhostHunter]

It's not a bug, it's a feature. It will always return a challenge to avoid telling the attacker the user has a valid credential.